Best practice
ARTICLE: Taking Control of a Software Vendor Audit
22 May 2009
6 minute read
Following on from my article last week exploring the different results achieved by an organisation faced with a vendor audit, this article attempts to explain how best to deal with an impending audit.
This is an abridged version of an article published by ManageSoft, who are hosting a webinar with IAITAM on the 28th May. Further details can be found here.
1. Review the contract to understand audit terms and conditions
• TERMS AND CONDITIONS: Read the terms and conditions to establish whether the software publisher indeed has the right to audit the business in the first place. Understand the terms and conditions of non-compliance
• FINANCIAL PENALTY EXPOSURE: Determine whether there are potential financial penalties. Some vendors impose penalties and/or charge the cost of the audit to the customer if non-compliance exceeds a certain percentage of the total license cost. Non-compliance is very seldom by design, but still represents a potential liability. Knowing the consequences can empower an enterprise to take immediate remedial action.
• DESIRED OUTCOME: Create a clear checklist of the key deliverables of the audit. If the audit goal is to establish an “effective license position”, then information on software installations must be compared to license entitlement data for all applications in question. The data to be collected may include hardware and software inventory, users, purchase order and contract information.
• RESOURCES REQUIRED: Prior to any audit, it is worth asking the publisher exactly how the audit will be performed and what level of assistance will be required by the auditors. Enterprise software audits can consume many staff-months of time during which the IT department collects the requested data.
2. Make sure the software and hardware inventory is up to date
• IT ASSET VISIBILITY: Software publishers audit businesses to make sure that the software is being used within its license terms and is appropriately paid for. This means that IT departments must have a comprehensive view of their entire IT estate, including hardware, to ascertain how the software asset is being used and whether they are in compliance.
• IT ASSET ACCURACY: To make sure that software inventory is accurate and up to date, the fingerprint of every application installation, which includes file evidence, add/remove programmes and WMI (installer) data, must be analysed and a list of proper software titles generated for each machine.
3. Prepare Proof of Purchase and Licensing Agreements ready for inspection
• ENTITLEMENT: Prior to an audit, IT departments should ensure that all their paperwork is in order, recorded and easily accessible including paid invoices, receipts of purchases, licensing agreements and certificates – especially soft records of purchases from resellers and publishers. This proof of license entitlement is critical to the reconciliation process.
4. Demonstrate that licensing rules are understood and applied
• RECOGNISING LICENSE MODELS: A vendor license position requires much more than simply comparing purchases and installations. IT departments need to be able to demonstrate that license types, e.g. device based, named user, processor based or concurrent user, are understood in conjunction with the computing environment such as virtual machines, multi-processor machines, user communities, and physical locations. For example, Oracle database administrators must be able to show that they understand and meet the per processor minimum for Named User plus (NUP) licenses.
• UNDERSTANDING USAGE RIGHTS: Demonstrating that both rights of usage as well as limitations of usage are understood and applied across the IT estate will instil auditor’s confidence in the company. For example, the IT department must be able to show that upgrade rights and rights of second usage are applied correctly. Similarly, the IT department should demonstrate that license usage restrictions – for instance, limits on the number of virtual instances per physical host server – are respected.
5. Explain what SAM policies and procedures are in place
• SAM SYSTEMS: Enterprises should show documented corporate policies and procedures for software asset and license management. These could include frequent hardware and software inventories, centralized procurement, periodic license reconciliations (monthly, quarterly, etc.), software download and installation processes, employee education programs, and internal audits.
• END USER EDUCATION: Lack of IT policy communication to employees and end user monitoring and control are common oversights on the part of IT departments. On the other hand, by educating employees on what they “may” and “may not” install, central IT can prevent rogue installations, which often jeopardize enterprises’ compliance status.
• SAM FIRE DRILL: A good way to overcome inadvertent license breaches is to conduct scheduled internal IT audits. This not only ensures that the enterprise is always ‘audit-ready’, but also reinforces the importance of adhering to IT policy to employees.
6. Don’t remove software from computers; don’t start a shopping spree
• REMOVING EVIDENCE: Often, when IT departments find that they are out of compliance, a knee-jerk reaction is to instantly remove installed software from computers, just prior to an audit. However, removed software is easily traced by auditing companies, making them suspicious, which leads to further scrutiny. Instead, pre-empting such a situation is the better option.
• COVER UP Alternatively, in their efforts to be compliant just before an audit, IT departments often make purchases of software they need. However, it should be noted that only purchases made before the date of audit notification are considered by the auditors. Therefore, hasty purchase decisions are best avoided.
7. Automate software asset management
• PREVENTION RATHER THAN CURE: Software license compliance is complex, and this complexity will only increase as more complicated IT infrastructures such as virtualization and cloud computing take hold. Manually managing software asset management and compliance is a time consuming and onerous task, ridden with costs and risks. In general, by the time a manual assessment of an enterprise’s license position can be obtained, it is already out of date. IT departments should look to adopt tools that automate these processes to ensure on-going license compliance.
If you would like to add any other tips for preparing for a software vendor audit then please use the comments field below or contact me privately at alerts (at) itassetmanagement.net.
Photo Credit